Archive

Filter by time where date is in seperate field

Path Finder

I need some help to filter by time, but the time field is not the internal Splunk time field. Instead, it is a date field from a lookup spreadsheet that corresponds to the objects file creation.

I want to be able to filter on objects that are created only in the previous month.

The format of the lookup date field is like this:

Created=8/26/2019 17:01

Tags (2)
0 Karma

Explorer

You can create _time field right in search query, like this:


| eval _time=strptime(Created,"%Y-%m-%d %H:%M:%S")

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!